Fix npm publishing with OIDC provenance support (#187)

just-be-dev · claude · web-flow · commit 8c8d7b7ead93 · 2026-02-01T01:16:12.000-05:00
* Fix npm package publishing with OIDC provenance support

- Use npm publish with --provenance flag for OIDC attestations instead of bun publish
- Package with bun pm pack, then publish using npm via bunx for provenance support
- Add npm authentication setup step to workflow using NPM_TOKEN secret
- Requires NPM_TOKEN secret to be set in GitHub repository for authentication

Co-Authored-By: Claude Haiku 4.5 &lt;noreply@anthropic.com&gt;

* Remove npm authentication setup step from workflow

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Haiku 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/scripts/publish-package.ts b/scripts/publish-package.ts
@@ -78,8 +78,19 @@ async function publishPackage(packageName: string, packagePath: string): Promise
 
   console.log(`   Publishing...`);
 
-  // Publish to npm (tolerate-republish provides safety net for edge cases)
-  await $`cd ${packagePath} && bun publish --access public --tolerate-republish`;
+  // Package with bun, then publish with npm to get provenance support
+  // npm's --provenance flag enables OIDC-based attestations
+  await $`cd ${packagePath} && bun pm pack`;
+
+  // Find the packed tarball (bun pm pack creates a .tgz file)
+  const files = await Array.fromAsync(new Bun.Glob("*.tgz").scan({ cwd: packagePath }));
+  if (files.length === 0) {
+    throw new Error("No tarball found after packing");
+  }
+  const tarball = files[0];
+
+  // Publish using npm with provenance
+  await $`cd ${packagePath} && bunx npm publish ${tarball} --access public --provenance`;
 
   // Create GitHub release (this creates the tag and release atomically)
   const tag = `${packageName}@${localVersion}`;
